5 Replies Latest reply on Sep 18, 2013 8:09 AM by bblanchard

    Agent Handler in DMZ


      I currently have an Agent Handler in the DMZ for users that are outside of the organization to be able to communicate with the ePO infrastructure to get the latest updates/policies/tasks.


      I can install a new agent using the framepkg.exe file on a machine that is outside of the network. Once installed, it will eventually communicate (after 2-3 minutes) with my agent handler in the DMZ  and get all the updates/task/policies so it seems to be working fine. When I look at the Agent Properties, the first agent handler in the list is the DMZ AH with the public IP, followed by the main ePO server and the fallback agent handlers so everything looks good.


      The problem arise when I reboot the laptop. I look at the McAfee Agent Monitor and I always get "Agent Failed to communicate with ePO Server".  The Agent Properties still list the agent handler in the correct order (AH in the DMZ being the first one). I also do test from my web browser by trying to connect to https://<publicAH-IP> which also works (Confirmed it by looking at the firewall logs).


      Any idea why the agent fails to connect to the AH ?

      Does the Agent Handler in the DMZ also requires a published DNS name in addition to the public IP or is the IP sufficient ?

        • 1. Re: Agent Handler in DMZ

          It doesn't technically require the published hostname but if its internal hostname doesn't match some resolvable address with the public DNS system then it could be the source of your problems. It is ever fails to connect and the attempts to resolve it, the agent could get stuck with the wrong address. Usually I edit the published hostname but leave the IP blank. Letting DNS do the heavy lifting is usually the right way to go.

          • 2. Re: Agent Handler in DMZ

            Well I don't have a published hostname, only a public IP associated to it.

            The weird thing is that I connects once I installed the framepkg and gets all the policies/tasks/package. It's when I force to re connect again that it can't reach it. Maybe I'll try to set up a public DNS entry for it.


            Does this agent handler needs to be a distributed repository as well ? Do I need to set up a public repository for agents outside of the network or is the public AH is enough ?

            • 3. Re: Agent Handler in DMZ

              The problem is within the sitelist. The first connect updates it. You will need an externally addressable hostname and a published hostname. Likely the client is still attempting to resolve the internal name and it is coming up with unusable results.

              • 4. Re: Agent Handler in DMZ
                Mohammad Firdaus Juhari

                Hi all,


                I'm having the same issue. Prior to test my setting with an external machine, I have tested our published DNS name and ePO server-AH server and both of them worked pretty well.


                The problem arised when I tested my setting with an external machine and I had exactly the same  "Agent Failed to communicate with ePO Server" message.

                • 5. Re: Agent Handler in DMZ

                  Adding a published DNS to the agent handler seems to have solved my problem.